justrach
diff --git a/‎README.md‎
Lines changed: 11 additions & 5 deletions b/‎README.md‎
Lines changed: 11 additions & 5 deletions
diff --git a/‎build.zig‎
Lines changed: 6 additions & 0 deletions b/‎build.zig‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/auth.zig‎
Lines changed: 125 additions & 0 deletions b/‎src/auth.zig‎
Lines changed: 125 additions & 0 deletions
diff --git a/‎src/cursor.zig‎
Lines changed: 112 additions & 0 deletions b/‎src/cursor.zig‎
Lines changed: 112 additions & 0 deletions
@@ -27,7 +27,7 @@ npm install turbodatabase     # Node.js
 
 | Feature | Status | Notes |
 |---------|--------|-------|
-| Insert / Get / Update / Delete | ✅ Working | ~14M GET/s in-process, ~42K/s wire protocol |
+| Insert / Get / Update / Delete | ✅ Working | ~13.3M GET/s in-process, ~42K/s wire protocol |
 | B-tree index (FNV-1a) | ✅ Working | O(log N), branching factor 169 |
 | ART index (Adaptive Radix Tree) | ✅ Working | 19M search/s, path compression, Node4/16/48/256 |
 | LSM tree | ✅ Working | MemTable + SSTable + bloom filters, size-tiered compaction |
@@ -36,20 +36,26 @@ npm install turbodatabase     # Node.js
 | WAL group commit | ✅ Working | Parallel WAL with per-core segments |
 | MVCC version chains | ✅ Working | Epoch-based GC, zero read locks |
 | mmap storage | ✅ Working | Zero-copy reads, 256 MiB growth |
-| Columnar projections | ✅ Working | Vectorized filter, 950M scan/s |
+| Columnar projections | ✅ Working | Vectorized filter, 1.02B scan/s |
+| **Vector search (SIMD)** | ✅ Working | **Cosine, dot product, L2 — @Vector(4,f32) SIMD** |
 | Hash/range partitioning | ✅ Working | FNV-1a routing, parallel scatter-gather scan |
 | Calvin replication | ✅ Working | Deterministic sequencer + executor |
 | Shard management | ✅ Working | Consistent hash ring, partition migration |
 | Cross-shard query routing | ✅ Working | Scatter-gather, partition pruning, aggregate merge |
 | io_uring / kqueue | ✅ Working | Async I/O, event-loop server |
 | Binary wire protocol | ✅ Working | TCP_NODELAY, pipelining, batch ops |
 | JSON REST API | ✅ Working | MongoDB-inspired routes on :27017 |
+| **Authentication** | ✅ Working | **API key + BLAKE3 hashing, per-key permissions** |
+| **Schema validation** | ✅ Working | **Required fields, type checking (string/number/bool/object/array)** |
+| **TTL / document expiry** | ✅ Working | **Per-doc TTL with background reaper** |
+| **Cursor pagination** | ✅ Working | **Stable hex-encoded cursor tokens** |
+| **Structured error codes** | ✅ Working | **30+ error codes, HTTP + wire mapping** |
+| Crypto (SHA-256/BLAKE3/Ed25519) | ✅ Working | Zero-dep, Zig std.crypto, FFI-accessible |
 | Python FFI (ctypes) | ✅ Working | `pip install turbodatabase` |
 | Node.js FFI (koffi) | ✅ Working | `npm install turbodatabase` |
-| Collection scan | ✅ Working | Limit/offset pagination |
-| Authentication | 🔜 Planned | Token-based |
-| TLS | 🔜 Planned | Native Zig TLS |
+| TLS | 🔜 Use reverse proxy | Recommended: nginx/Caddy/Fly.io for TLS termination |
 | Multi-doc transactions | 🔜 Planned | Cross-partition ACID |
+| Change streams | 🔜 Planned | WAL tailing subscription API |
 
 ## Benchmarks
 
 
@@ -296,6 +296,12 @@ pub fn build(b: *std.Build) void {
         "src/columnar.zig",
         "src/mvcc.zig",
         "src/crypto.zig",
+        "src/vector.zig",
+        "src/auth.zig",
+        "src/ttl.zig",
+        "src/schema.zig",
+        "src/cursor.zig",
+        "src/errors.zig",
         "src/replication/sequencer.zig",
         "src/replication/calvin.zig",
         "src/replication/shard.zig",
 
@@ -0,0 +1,125 @@
+/// TurboDB — Authentication & Authorization
+///
+/// API key authentication with HMAC-SHA256 verification.
+/// Keys are stored as BLAKE3 hashes — plaintext never persisted.
+///
+/// Wire protocol: First frame after connect must be OP_AUTH with the API key.
+/// HTTP: X-Api-Key header on every request.
+///
+/// No auth configured → open access (dev mode).
+const std = @import("std");
+const crypto = @import("crypto.zig");
+const Allocator = std.mem.Allocator;
+
+pub const MAX_KEYS = 64;
+
+/// Permission level for an API key.
+pub const Permission = enum(u8) {
+    read_only = 0,
+    read_write = 1,
+    admin = 2,
+};
+
+/// A registered API key (stored as hash, never plaintext).
+pub const KeyEntry = struct {
+    hash: [32]u8, // BLAKE3 of the raw key
+    name: [64]u8,
+    name_len: u8,
+    perm: Permission,
+};
+
+/// Auth store. Thread-safe via RwLock.
+pub const AuthStore = struct {
+    keys: [MAX_KEYS]KeyEntry = undefined,
+    count: u32 = 0,
+    enabled: bool = false,
+    lock: std.Thread.RwLock = .{},
+
+    /// Add an API key. Returns the BLAKE3 hash for storage.
+    pub fn addKey(self: *AuthStore, raw_key: []const u8, name: []const u8, perm: Permission) [32]u8 {
+        self.lock.lock();
+        defer self.lock.unlock();
+
+        const hash = crypto.blake3(raw_key);
+        if (self.count < MAX_KEYS) {
+            var entry = KeyEntry{
+                .hash = hash,
+                .name = undefined,
+                .name_len = @intCast(@min(name.len, 64)),
+                .perm = perm,
+            };
+            @memcpy(entry.name[0..entry.name_len], name[0..entry.name_len]);
+            self.keys[self.count] = entry;
+            self.count += 1;
+            self.enabled = true;
+        }
+        return hash;
+    }
+
+    /// Verify an API key. Returns the Permission if valid, null if rejected.
+    pub fn verify(self: *AuthStore, raw_key: []const u8) ?Permission {
+        if (!self.enabled) return .admin; // No auth → full access
+        const hash = crypto.blake3(raw_key);
+
+        self.lock.lockShared();
+        defer self.lock.unlockShared();
+
+        for (self.keys[0..self.count]) |*entry| {
+            if (std.mem.eql(u8, &entry.hash, &hash)) return entry.perm;
+        }
+        return null;
+    }
+
+    /// Check if auth is enabled.
+    pub fn isEnabled(self: *AuthStore) bool {
+        return self.enabled;
+    }
+
+    /// Extract API key from HTTP headers.
+    pub fn extractHttpKey(request: []const u8) ?[]const u8 {
+        const needle = "X-Api-Key: ";
+        const pos = std.mem.indexOf(u8, request, needle) orelse return null;
+        const start = pos + needle.len;
+        const end = std.mem.indexOfScalarPos(u8, request, start, '\r') orelse
+            std.mem.indexOfScalarPos(u8, request, start, '\n') orelse request.len;
+        const key = request[start..end];
+        return if (key.len > 0) key else null;
+    }
+};
+
+// ── Wire protocol auth ──────────────────────────────────────────────────────
+
+pub const OP_AUTH: u8 = 0x10;
+pub const STATUS_UNAUTHORIZED: u8 = 0x03;
+
+// ── Tests ────────────────────────────────────────────────────────────────────
+
+test "auth disabled returns admin" {
+    var store = AuthStore{};
+    try std.testing.expectEqual(Permission.admin, store.verify("anything").?);
+}
+
+test "add and verify key" {
+    var store = AuthStore{};
+    _ = store.addKey("my-secret-key", "test-key", .read_write);
+    try std.testing.expectEqual(Permission.read_write, store.verify("my-secret-key").?);
+    try std.testing.expectEqual(@as(?Permission, null), store.verify("wrong-key"));
+}
+
+test "read-only key cannot write" {
+    var store = AuthStore{};
+    _ = store.addKey("reader", "reader", .read_only);
+    const perm = store.verify("reader").?;
+    try std.testing.expect(perm == .read_only);
+}
+
+test "extract HTTP key" {
+    const req = "GET /db/users HTTP/1.1\r\nX-Api-Key: abc123\r\nHost: localhost\r\n\r\n";
+    const key = AuthStore.extractHttpKey(req).?;
+    try std.testing.expectEqualStrings("abc123", key);
+}
+
+test "extract HTTP key missing" {
+    const req = "GET /db/users HTTP/1.1\r\nHost: localhost\r\n\r\n";
+    try std.testing.expectEqual(@as(?[]const u8, null), AuthStore.extractHttpKey(req));
+}
@@ -0,0 +1,112 @@
+/// TurboDB — Cursor-based Pagination
+///
+/// Opaque cursor tokens for stateless, consistent pagination.
+/// Cursors encode the last-seen doc_id as a base64 token — stable even
+/// when documents are inserted/deleted between pages.
+///
+/// Usage:
+///   1. First page:  scan(limit=100, cursor=null) → results + next_cursor
+///   2. Next page:   scan(limit=100, cursor=next_cursor) → results + next_cursor
+///   3. Last page:   next_cursor = null when no more results
+const std = @import("std");
+
+/// A cursor token. Encodes the last-seen doc_id for stable pagination.
+pub const Cursor = struct {
+    last_doc_id: u64,
+
+    /// Encode cursor to a URL-safe string (hex-encoded u64).
+    pub fn encode(self: Cursor) [16]u8 {
+        const hex = "0123456789abcdef";
+        var out: [16]u8 = undefined;
+        var v = self.last_doc_id;
+        var i: usize = 16;
+        while (i > 0) {
+            i -= 1;
+            out[i] = hex[@intCast(v & 0xf)];
+            v >>= 4;
+        }
+        return out;
+    }
+
+    /// Decode cursor from hex string.
+    pub fn decode(token: []const u8) ?Cursor {
+        if (token.len != 16) return null;
+        var val: u64 = 0;
+        for (token) |c| {
+            val <<= 4;
+            if (c >= '0' and c <= '9') {
+                val |= @as(u64, c - '0');
+            } else if (c >= 'a' and c <= 'f') {
+                val |= @as(u64, c - 'a' + 10);
+            } else {
+                return null;
+            }
+        }
+        return .{ .last_doc_id = val };
+    }
+};
+
+/// Result of a cursor-paginated scan.
+pub const CursorPage = struct {
+    /// Number of documents in this page.
+    count: u32,
+    /// Next cursor token (null = no more pages).
+    next_cursor: ?[16]u8,
+    /// Whether there are more results.
+    has_more: bool,
+};
+
+/// Create a cursor page result from a scan.
+/// `last_id`: doc_id of the last document in the current page.
+/// `total_returned`: number of docs returned.
+/// `limit`: requested limit.
+pub fn makePage(last_id: u64, total_returned: u32, limit: u32) CursorPage {
+    if (total_returned < limit) {
+        return .{ .count = total_returned, .next_cursor = null, .has_more = false };
+    }
+    const cursor = Cursor{ .last_doc_id = last_id };
+    return .{ .count = total_returned, .next_cursor = cursor.encode(), .has_more = true };
+}
+
+// ── Tests ────────────────────────────────────────────────────────────────────
+
+test "cursor encode/decode round-trip" {
+    const c = Cursor{ .last_doc_id = 12345678 };
+    const encoded = c.encode();
+    const decoded = Cursor.decode(&encoded).?;
+    try std.testing.expectEqual(c.last_doc_id, decoded.last_doc_id);
+}
+
+test "cursor encode zero" {
+    const c = Cursor{ .last_doc_id = 0 };
+    const encoded = c.encode();
+    try std.testing.expectEqualStrings("0000000000000000", &encoded);
+}
+
+test "cursor encode max" {
+    const c = Cursor{ .last_doc_id = std.math.maxInt(u64) };
+    const encoded = c.encode();
+    try std.testing.expectEqualStrings("ffffffffffffffff", &encoded);
+    const decoded = Cursor.decode(&encoded).?;
+    try std.testing.expectEqual(c.last_doc_id, decoded.last_doc_id);
+}
+
+test "cursor decode invalid length" {
+    try std.testing.expectEqual(@as(?Cursor, null), Cursor.decode("abc"));
+}
+
+test "cursor decode invalid chars" {
+    try std.testing.expectEqual(@as(?Cursor, null), Cursor.decode("000000000000gggg"));
+}
+
+test "make page with more results" {
+    const page = makePage(42, 100, 100);
+    try std.testing.expect(page.has_more);
+    try std.testing.expect(page.next_cursor != null);
+}
+
+test "make page last page" {
+    const page = makePage(42, 50, 100);
+    try std.testing.expect(!page.has_more);
+    try std.testing.expectEqual(@as(?[16]u8, null), page.next_cursor);
+}